Tuesday, August 25, 2009

SQL Injection in Yahoo

SQL Injection in Yahoo, mysql 5, with shell upload possibility

A greyhat hacker has discovered a critical SQL injection vulnerability in Yahoo! Local Neighbors discussion board website. The flaw can be used to read information about administrative and user accounts or upload a shell on the server.

Neighbors is a Yahoo! Local feature launched at the end of 2007 with the purpose of providing a place for people to exchange information about events happening in their local communities and other useful info. Yahoo! describes the site as a "practical discussion board for any topic - from neighborhood safety to contractor recommendations."

The hacker who discovered the vulnerability goes by the online nickname of "Unu" and had previously uncovered similar vulnerabilities in other high profile websites. He notes that despite finding SQL injection and cross-site scripting (XSS) vulnerabilities in Yahoo! websites before, this is the first time when he encountered a MySQL 5 server being used by the company.

The screenshots provided by the hacker reveal the databases available on the server, as well as the users with access to them. While connections with the "root" account can only be established from local IP addresses owned by Yahoo!, Unu points out that an account called "reply_mon" can be used to access the databases from any host.

See More info: http://news.softpedia.com/news/Yahoo-Local-Hacked-120044.shtml

No comments: